Hello everybody,
I'm merging policies using the multi-zone feature of 12.1X47. This allows a global policy to bind to several zones.
So I made the following policy. This should replace the firewall on lo0 from the default config.
user@srx100h2# show security policies global
policy any-to-junos-host-allow {
match {
source-address manager-ips;
destination-address any;
application junos-ssh;
from-zone any;
to-zone junos-host;
}
then {
permit;
log {
session-init;
}
count;
}
}
policy any-to-junos-host-deny {
match {
source-address any;
destination-address any;
application any;
from-zone any;
to-zone junos-host;
}
then {
deny;
}
}
However, traffic to the srx is not blocked:
flow_first_policy_search: policy search from zone untrust-> zone junos-host (0x0,0x1fab0016,0x16)
Policy lkup: vsys 0 zone(10:untrust) -> zone(2:junos-host) scope:0
a.b.c.d/8107 -> w.x.y.z/22 proto 6
app 22, timeout 1800s, curr ageout 20s
permitted by policy self-traffic-policy(1)
packet passed, Permitted by policy.
But, if I rewrite the global policy to an untrust to junos-host policy traffic to the SRX is correctly blocked.
user@srx100h2# show security policies from-zone untrust to-zone junos-host
policy any-to-junos-host-allow {
match {
source-address manager-ips;
destination-address any;
application junos-ssh;
}
then {
permit;
log {
session-init;
}
count;
}
}
policy any-to-junos-host-deny {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
}
}
flow_first_policy_search: policy search from zone untrust-> zone junos-host (0x0,0xc6680016,0x16)
Policy lkup: vsys 0 zone(10:untrust) -> zone(2:junos-host) scope:0
a.b.c.d/50792 -> w.x.y.z/22 proto 6
app 22, timeout 1800s, curr ageout 20s
packet dropped, denied by policy
denied by policy any-to-junos-host-deny(16), dropping pkt
packet dropped, policy deny.Is this by design?